4.4

CVE-2020-15095

Sensitive information exposure through logs in npm cli

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NpmjsNpm Version < 6.14.6
OpensuseLeap Version15.1
OpensuseLeap Version15.2
FedoraprojectFedora Version33
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.42% 0.334
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.4 0.8 3.6
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov 1.9 3.4 2.9
AV:L/AC:M/Au:N/C:P/I:N/A:N
security-advisories@github.com 4.4 0.8 3.6
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
https://security.gentoo.org/glsa/202101-07
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html
Third Party Advisory
Mailing List
https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
Third Party Advisory
Release Notes
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
Patch
Third Party Advisory
https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
Third Party Advisory